Risk Practice 


McKINSEY WORKING 
PAPERS ON RISK 


Taking control of 
organizational risk culture 


Number 16 | Cindy Levy, 
February 2010 | Eric Lamarre, and 
James Twining 


Confidential Working Paper. No part may be circulated, quoted, or reproduced for distribution 
without prior written approval from McKinsey & Company. 


McKinsey&Company 


Taking control of 
organizational risk culture 


Contents 


Introduction 

Risk culture in context 

Defining risk culture 

Understanding the sources of risk culture failure 
Risk culture: defining the weak end of the continuum 
Diagnosing organizational risk culture 

The risk assessment journey: benefits for managers 
Selected pilot findings and interventions 


Case study 1 — global investment bank 


Case study 2 — global professional services firm 


meek 


2 
2 
3 
A 
6 
M 
8 
9 
0 
0 


Introduction 


As the global financial crisis has evolved, so too have references by regulators, market 
commentators and the media to failures in institutional “risk culture,” as a key contributing 
factor to the various bank collapses and losses witnessed over the past few years. The 
concept of “risk culture” featured prominently, for example, in the 2008 report by the Institute of 
International Finance (IIF) on the failings that led to the credit and liquidity crisis among global 
banks. 


“Cultivation of a consistent ‘risk culture’ throughout firms is the most important element in 
risk management.” — IIF, Final Report on Market Best Practices for Financial Institutions 


and Financial Products, August 2008 


While references to “risk culture” are proliferating — often in connection with a wide range of 
catastrophes — the term, however, is rarely defined adequately. It is usually only spoken of 
narrowly, in the context of incentive and organization structures, while its essential attributes 
are left undetermined. This narrow focus has led to risk culture being seen as too difficult to 
grasp, and so, within the broader context of efforts to improve understanding and management 
of risk, it has been essentially ignored. 


This is a mistake. Risk culture is at the heart of the human decisions that govern the day-to- 
day activities of every organization. It is relevant to all parts of the organization, not just risk 
managers. And when it goes wrong, as in the SocGen rogue trading scandal in 2008 or the 
Challenger Space Shuttle disaster in 1986, the consequences can be devastating and even 
fatal. 


Failures such as fraud, the collapse of complex derivatives positions, safety breaches, 
operational disasters, and over-leveraging have their origin in flaws in unique organizational 
cultures that allowed particular risks to take root and grow. 


This working paper is intended to bring the concept of risk culture into the light, where it can be 
usefully understood. First, it offers a methodical, rational definition of the essence of risk 
culture. Second, it puts forward a model for how organizations of all kinds can assess their 
risk culture, and then intervene in areas where this culture might be vulnerable. Third it 
provides real case examples of the application of this approach. 


Risk culture in context 


With the global economy still finding its footing, many organizations are in “lock-down” mode. 
They are concentrating all their energies on surviving in the changed environment by 
stemming losses, cutting costs and stabilizing their revenue base. Where attention is paid to 
risk, the focus is more often than not on improving existing risk management systems and 
models rather than tackling the underlying culture. 


McKinsey&Company 


While the burden of today’s short-term economic pressures is undeniably heavy and time- 
consuming, managers should recognize that a strong risk culture plays a critical role in 
determining an organization’s health and performance. As such, it should therefore be among 
the first things that managers consider as their organizations move through the economic 
cycle, not the last. 


Defining risk culture 


Many managers and analyists feel they have an intuitive understanding of risk culture, but 
may not be able to define this precise and concretely. Without a clear and holistic 
understanding of risk culture, however, organizations tend to address risk with narrow 
structural approaches (e.g., a strong CRO and empowered risk function) and incentives (e.g., 
deducting a capital charge from the bonus pool, deferring bonus payments). Although such 
approaches in and of themselves can be helpful, we would argue that in the context of the 
post-crisis world, they are insufficient in addressing the concept of risk culture. To do this 
adequately, a definition of risk culture is needed. In consultation with clients, practitioners, and 
academics, we have therefore distilled the following definition: 


Risk culture: “The norms of behavior for individuals and groups within an organization that 


determine the collective ability to identify and understand, openly discuss and act on the 
organization’s current and future risks” | 


In a strong risk culture, these norms or attributes of an organization nurture and sustain a 
common set of standards whose rigor and disciplines define its approaches to risk-taking. This 
sense of common purpose and understanding was described by author Edgar Schein as the 
“deeper level of basic assumptions and beliefs that are shared by members of an organization, 
that operate unconsciously, and that define in a basic ‘taken for granted’ fashion an 
organization’s view of itself and its environment.” © It is what McKinsey’s late managing 
partner Marvin Bower meant by his simple phrase, “the way we do things around here.” 


A strong risk culture demonstrates several critical and mutually reinforcing elements: 


E Aclear and well communicated risk strategy 
m High standards of analytical rigor and information-sharing across the organization 


E Rapid escalation of threats or concerns 


Visible and consistent role-modeling of desired behaviors and standards by senior 
managers 


l McKinsey has contributed this definition and key elements of its analysis and risk culture framework to the IF 
working group focused on the Risk Culture section of the HF report, “Reform in the Financial Services 
Industry: Strengthening Practices for a More Stable Industry” (December 2009). 


2 Edgar Schein, Organizational Culture and Leadership (Jossey-Bass, 2004). 


McKinsey&Company 


E Incentives which encourage people to “do the right thing” and think about the 
overall health of the whole organization 


E Continuous and constructive challenging of actions and preconceptions at all levels 
of the organization. 


The behaviors of people — the choices they make and their judgments about the behavior of 
others — take place within the context of their organization, a complex mechanism of systems, 
processes, and structures. The formal organizational context sets boundaries for acceptable 
behaviors. Consequently, fragilities in risk culture behaviors are, more often than not, the 
consequence of weaknesses in these formal systems and structures. 


A successful risk culture model therefore needs to account for all the meaningful interactions 
that happen inside organizations, including those between individuals and between groups of 
individuals acting in teams or business units, as well as interactions at the institutional level, 
involving senior management and strategic decision-making processes. 


Understanding the sources of risk culture failure 


The character of risk culture failures can range from the relatively mundane, such as a failed 
trade or a lapse in a routine safety procedure, to the fatally catastrophic, such as a gas 
pipeline explosion or the Space Shuttle disaster. Whatever their degree of severity, such 
failures have important common causes and implications. 


E Whether triggered by an internal or external agent, risk culture failures often expose 
a long-standing cultural weakness or a linked series of weaknesses that have been 
incubating over time and that can be clearly recognized after the event. 


E Failures and near failures often offer managers and key stakeholders a window of 
opportunity to demand changes that strengthen an organization's risk culture and 
make it more robust. Unfortunately, some of the most powerful stimuli to change 
come when bad things happen, or are only narrowly averted. 


We organized our research around 20 detailed case studies of risk culture failure. We 
analyzed them from an external perspective and then also interviewed people close to the 
actual situations. The case studies included hospital disasters that led to multiple patient 
deaths, operational and safety failures that cost lives and large sums of money, legal 
settlements in which firms paid significant damages to avoid further reputational harm, and 
rogue trading and other banking-related losses. In each case, we sought to understand the 
cultural factors that had contributed to each failing and to recognize any common factors or 
patterns. 


This approach allowed us to identify ten key risk culture factors that were consistently 
observed as contributing to the failures, although to a greater or lesser extent in each case 
(see note 1, p. 3). These factors are present in every organization and are measurable along 
a continuum from weak (higher risk) to strong (lower risk) (Exhibit 1). 


McKinsey&Company 


Exhibit 1 
Risk culture framework 
Groups Dimensions 
High Risk 
Poor 
Unclear 


Lack of insight 


Low risk 
Good 


Clear 


Good insight 


Overconfidence 


Acknowledgement 
No challenge 


of risk 


Fear of bad news 


Confident but careful 


Constructive challenge 


Reward honesty 


Responsiveness Indifference 


to risk 
Slow 


Diligence 


Fast 


Gaming 


Beat the system 


Coordinating 


Play by the rules 


The ten factors can be gathered into four associated groups which can indicate the principal 
risk culture failure tendencies of particular organizations. We have named these groups: 
Transparency of risk, Acknowledgment of risk, Responsiveness of risk, and Respect for risk. 
A description of each risk culture dimension in terms of the “weak” end of the continuum each 
encompasses Is described in more detail in the box on the following page. The examples of 
failure provided in these descriptions are intended to be illustrative of particular elements of 
risk culture weakness, but it is worth keeping in mind that failure events are usually the result 


of more than one cultural factor. 


McKinsey&Company 


Risk culture: Defining the weak end of the continuum 


Transparency 


Poor communication. A culture where warning signs of both internal or external risks 
are not shared. Example: the global engineering firm where significant project delays 
routinely surprised senior management, since there was no process to generate insights 
from data that aggregated minor issues. 


Unclear tolerance. A culture where the leadership does not communicate a clear risk 
appetite or fails to present a coherent approach or strategy. Example: the global logistics 
firm where cost-cutting decisions were taken without accounting for their potential impact 
on operational risk failures. 


Lack of insight. A culture where the organization fails to understand the risks it is 
running or believes that such an understanding is the preserve of risk specialists. 
Example: the meat processing company that made a series of bets on corn prices without 
having the right information to understand and manage their positions. 


Acknowledgment 


Overconfidence. A culture where people believe that their organization is insulated or 
even immune from risk because of its superior position or people. Example: the energy 
trading company whose self-perceived market expertise eventually contributed to its 
collapse, as it took on too much risk. 


No challenge. A culture where individuals do not challenge each others’ attitudes, ideas 
and actions. Example: the leading European bank, where senior management formed a 
very tight unit that neither allowed nor invited internal debate and ended up making a 
series of disastrous strategic and M&A decisions. 


Fear of bad news. A culture where management and employees feel inhibited about 
passing on bad news or learning from past mistakes. Example: the deadly outbreak of 
MRSA (an antibiotic-resistant strain of bacteria) in a hospital where junior staff were afraid 
to report early signs of trouble for fear of being blamed or criticized. 


Responsiveness 


Indifference. A culture which discourages responding to situations or fosters apathy 
about the outcome, either due to bad faith or incompetence. Example, the retail bank that 
incurred a large fine after it knowingly allowed unqualified sales staff to sell inappropriate 
loan guarantee products. 


Slow response. A culture where the organization perceives external changes but reacts 
too slowly or is in denial about innovation or the likely impact of change. Example: the 
overleveraged hedge fund that collapsed after failing to respond quickly enough to a 
market shift. 


Respect 


Beat the system. A culture where risk appetites are misaligned with the organization's 
risk profile, leaving room for the conception and implementation of inappropriate activities. 
Example: the options trading group of a large bank that took unauthorized positions and 
incurred major losses. 


Gaming. A culture where individual units take risks or embrace projects which could 
benefit the unit, but are out of line with the organization's risk appetite. Example: the 
derivatives structuring unit of a major bank that exploited inconsistencies in credit 
approval processes to maximize their chances of sign-off from the risk function. 


McKinsey&Company 


Diagnosing organizational risk culture 


The identification and definition of the factors and groups of risk culture failure has created the 
opportunity to design a diagnostic approach to assess a given organization for its vulnerability 
to risk culture failure (Exhibit 2). 


In partnership with organizational psychologists McKinsey has accordingly used its case 
studies to devise a survey tool to “backward engineer” the questions that should have been 
asked if cultural weaknesses which can lead to major risk failures would be diagnosed. The 
backward-engineered questions are then refined through conversations with survey and risk 
experts and through client pilots, to create a survey optimally designed to discover leading 
indicators of potential risk culture failures. 


Exhibit 2 

Risk culture diagnostic approach 

Core risk culture diagnostic h Intervention design 

© © @ ® Deep analysis of 
Administer risk Analyze results and | root causes, 
culture diagnostic Perform selected explore high-level ' intervention design 
survey interviews actions ' and delivery 


2 z 
Oo} 


Perform detailed root 
cause analysis on 
identified risk culture 


=" Tailor and launch = Select and notify =" Analyze and 
survey interview participants synthesize survey 


= Conduct and log and interview findings 


selected interviews, = Identify potential failures 
" Design, with 
edly strengths management, a 


detailed intervention 
strategy and phased 
mobilization plan 


= Suggest possible root 
causes (based 
primarily on interview 
findings) and high- 
level interventions 


Support management | 
in delivering 
interventions 


in parallel to running weaknesses and 


This survey tool is administered electronically and the results can be organized according to 
different demographic splits to reveal risk culture “hot spots” within different business units, 
geographies, tenures, or seniority levels (Exhibit 3). 


McKinsey&Company 


Exhibit 3 [SIMPLIFIED CLIENT EXAMPLE 


Diagnostic output example 


C] Lower risk 
EE Medium risk 
EE Higher risk 
People hesitant to ! 
communicate Challenge : p} 7z Ko Open culture 
mistakes and L where challenge is 
insufficient sharing welcome 
of and learning from 
mistakes 


Level of 


Some people Employees highly 
perceived to be motivated to be 
exhibiting signs of mindful of quality in 
overconfidence and their work 
complacency 


There is a lack of 

clarity on risk Tolerance 

appetite in some | 

areas : Adherence to 
$ rules 


Evidence of 
tension between 
teams within the 
unit and between 
the front line and 
the control 
functions 


Complementing this diagnostic survey are a series of interviews, designed to get beneath the 
survey results and add an extra dimension to our understanding of the problem, and also to 
detect any factors that have not been captured within the survey. Both the survey results and 
the interview findings can then be analyzed to illustrate to management the risk culture 
challenges they face. By then leveraging our well-tested performance transformation toolkit, 
managers can design a specific set of interventions to address the root causes of the risk 
culture weakness and reduce the likelihood of a failure taking place. 


For the first time, therefore, managers across the business — not just in the risk function — can 
call upon a structured approach and fact-based mapping to identify and describe potentially 
damaging tendencies or patterns of behavior that might previously have been hidden from 
their gaze, and then take specific actions to reduce their overall vulnerability. 


The risk assessment journey: benefits for managers 


Managers considering embarking on a journey to better understand and then strengthen their 
risk culture are justified in asking themselves what the benefits of such an exercise will be. 
This journey will not cure all an organization’s risk-related ills, nor will the attained result — a 
strong risk culture — protect an organization from all harm. 


What this journey will do, however, is foster a common language and framework for describing 
an organization’s risk culture, and provide managers with a concrete program for engaging 
and intervening in problem areas. The findings of the survey and interviews can be shared 


McKinsey&Company 


with all staff, not just the risk function, so that the entire organization has the collective 
understanding needed to sustain a strong risk culture. 


The survey scores and interview responses also provide a fact base that can help reveal 
potential weaknesses, support the case for change, and indicate whether further investigation 
is required or where action might be taken. The fact base can thus turn a critical but 
previously little understood long-term driver of business health into an accessible and user- 
friendly management tool for enabling a more complete and robust enterprise risk 
management framework (Exhibit 4). 


Exhibit 4 
‘thay = = [SIMPLIFIED CLIENT EXAMPLE 
Demographic analysis — example output 
Demographic split — Designation L Lower risk 
Frequency of failure driver designated as somewhat to strongly agree, % E Medium risk 
8 EE Higher risk 
S 
Percent, lower % = K Kid 
higher risk S g ge õ5o € § 
& € gE S FE 
© S L$ FS z Ò 
S E LFF F OC 
Designation © O O S v 


Director 82% 83% Yan 84% 


Vice 


l em Ti 82% | 84% 85% 51% | 80% 
president 


Respon- 
siveness 


Acknowledgement 


Transparency Respect 


Scores over 90% in this dimension were 
deemed to be potentially suggestive of a 
lack of reflection, or risk complacency 


As we build a database of survey results, organizations become able to benchmark their risk 
culture scores against other similar organizations and assess where they are particularly 
strong or weak versus peers. 


Selected pilot findings and interventions 


In the course of developing our thinking and tools, we have piloted our approach with leading 
global institutions in both the private and public sectors and across a range of industries. As 
well as highlighting possible improvements to the survey questions, the pilots have also helped 
confirm the effectiveness of the underlying methodology and how it can be used to provide 
management with a clear set of observations, root causes, and priority interventions, which 
can then be further detailed in subsequent phases of work if required. 


McKinsey&Company 


10 


Taken together with the other pilots we have run, these case studies confirmed the durability 
and usefulness of our survey and interview diagnostic tool, including its ability to stimulate 
highly effective management discussions and targeted actions to strengthen an organization's 
risk Culture. 


Case study 1 — global investment bank 


At a global investment bank, we assessed the risk culture of a unit within their sales and 
trading division. This unit had only recently been formed by integrating a series of previously 
independent and product-aligned structuring teams. Managers were therefore worried about 
the unit’s ability to gel and function as one team, and how market pressures, including 
downsizing, might affect people’s behaviors and the risk choices they were making. 


The unit displayed relative strengths in challenging each other’s ideas, attitudes and actions 
(“Challenge”) and cared about doing a good job and protecting the bank’s reputation (“Level of 
care”). However, management's concerns around the unit’s lack of cohesion were confirmed, 
with “Cooperation” emerging as a priority hot spot. 


Less expected, however, was the insight that some parts of the unit found that the bank's risk 
tolerance was unclear (“Tolerance”) and inconsistently applied, with communication and joint 
working lacking between the risk function and the front-line. Other insights emerged in the 
analysis of some of the demographic splits. More senior and more tenured employees, for 
example, perceived the unit's risk culture to be weaker than their more junior colleagues. 


Given this diagnosis, we suggested three major intervention themes for management to 
consider. 


1. Senior leadership team should (visibly) align and engage around a shared 
agenda, on the basis that their people would only behave differently if they saw 
their leaders speaking and acting differently. 


2. The way the unit’s risk tolerance is communicated should be radically 
changed, so that there is more clarity on risk decisions and more front-line 
involvement in how the risk appetite is set. 


3. Internal structures and processes should be rethought, so that product 
boundaries are clearer and trade approval mechanisms tightened. 


Case study 2 — global professional services firm 


We assessed the risk culture of a unit of a global professional services firm. Although 
management had no particular in-going concerns, believing the overall risk culture to be very 
healthy, they were interested in understanding where they could improve and if there were any 
meaningful variations by tenure or role. 


An analysis of the findings indicated that the overall risk culture was indeed robust, especially 
with respect to the “Speed of Response” and “Level of Care” factors, where the scores 
suggested that people were very responsive to change and deeply concerned about the 
impact and quality of their work. 


“Confidence,” however, emerged as a potential hot spot, with a risk that more junior staff might 
over-extend themselves. “Challenge” was also an area of concern, with some junior tenures 


McKinsey&Company 


11 


Organizations across all sectors have an opportunity to rethink their traditional approach to risk 
management and tackle the underlying cultural drivers of risk failure. 


The good news for managers is that our research shows that risk culture need no longer be 
considered as an inscrutable black box. Rather, risk culture can be defined, categorized and 
diagnosed, using a combination of a survey tool and interviews which can reveal leading 
indicators of vulnerability based on past examples of risk culture failure. This approach to a 
risk assessment journey enables specific interventions to be designed and implemented to 
reduce the likelihood of a failure taking place. 


Of course risk will remain an unavoidable and essential element in the DNA of most 
organizations. It is inconceivable that a technology company could wholly avoid new product 
risk, or a bank avoid trading risk, or a hospital avoid the risks of complex surgeries. Certain 
risks are inherent in each field and cannot be entirely eliminated by any active organization. 
What can be minimized, however, is exposure to unnecessary risks. It is therefore vitally 
important that management actively shape a risk culture in which only these inherent risks are 
being managed and run, and that their people, in accordance with the organization’s risk 
profile, are playing their part in excluding all other risks as extraneous and nonessential. 


Cindy Levy is a director and James Twining is an associate principal in McKinsey’s London 
office, and Eric Lamarre is a director in the Montréal office. The authors would like to thank 
Andrew Freeman, an alumnus of the London office, for his contribution to this paper. 


McKinsey&Company 


McKINSEY WORKING PAPERS ON RISK 


1. 


10. 


11. 


12. 


13. 


14. 


The Risk Revolution 
Kevin Buehler, Andrew Freeman and Ron Hulme 


Making Risk Management a Value-Added Function in 
the Boardroom 
Gunnar Pritsch and André Brodeur 


Incorporating Risk and Flexibility in Manufacturing 
Footprint Decisions 
Martin Pergler, Eric Lamarre and Gregory Vainberg 


Liquidity: Managing an Undervalued Resource in 
Banking after the Crisis of 2007-08 

Alberto Alvarez, Claudio Fabiani, Andrew Freeman, 
Matthias Hauser, Thomas Poppensieker and Anthony 
Santomero 


Turning Risk Management into a True Competitive 
Advantage: Lessons from the Recent Crisis 
Gunnar Pritsch, Andrew Freeman and 

Uwe Stegemann 


Probabilistic Modeling as an Exploratory Decision- 
Making Tool 
Martin Pergler and Andrew Freeman 


Option Games: Filling the Hole in the Valuation Toolkit 
for Strategic Investment 
Nelson Ferreira, Jayanti Kar, and Lenos Trigeorgis 


Shaping Strategy in a Highly Uncertain 
Macro-Economic Environment 
Natalie Davis, Stephan Gorner, and Ezra Greenberg 


Upgrading Your Risk Assessment for Uncertain Times 
Martin Pergler and Eric Lamarre 


Responding to the Variable Annuity Crisis 
Dinesh Chopra, Onur Erzan, Guillaume de Gantés, 
Leo Grepin, and Chad Slawner 


Best Practices for Estimating Credit Economic Capital 
Tobias Baer, Venkata Krishna Kishore, and 
Akbar N. Sheriff 


Bad Banks: Finding the Right Exit from the Financial 
Crisis 

Luca Martini, Uwe Stegemann, Eckart Windhagen, 
Matthias Heuser, Sebastian Schneider, and 

Thomas Poppensieker 


Developing a Post-Crisis Funding Strategy for Banks 
Arno Gerken, Matthias Heuser, and Thomas Kuhnt 


The National Credit Bureau: A Key Enabler of Financial 
Infrastructure and Lending in Developing Economies 
Tobias Baer, Massimo Carassinu, Andrea Del Miglio, 
Claudio Fabiani, and Edoardo Ginevra 


15. 


16. 


EDITORIAL BOARD 


Rob McNish 

Managing Editor 

Director 

McKinsey & Company, 
Washington, D.C. 
Rob_McNish@mckinsey.com 


Kevin Buehler 

Director 

McKinsey & Company, 

New York 
Kevin_Buehler@mckinsey.com 


Leo Grepin 

Director 

McKinsey & Company 

New York 

Leo _Grepin@mckinsey.com 


Cindy Levy 

Director 

McKinsey & Company, 
London 
Cindy_Levy@mckinsey.com 


Martin Pergler 

Senior Risk Expert 

McKinsey & Company, 
Montreal 

Martin. Pergler@mckinsey.com 


Anthony Santomero 

Senior Advisor 

McKinsey & Company, 

New York 
Anthony_Santomero@mckinsey.com 


Capital Ratios and Financial Distress: Lessons 
from the Crisis 

Kevin Buehler, Hamid Samandari, and 
Christopher Mazingo 


Taking control of organizational risk culture 
Cindy Levy, Eric Lamarre, and James Twining 


